From 21d6701119d006dfc6c71d0359c984f8946a7aff Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 8 Jan 2025 15:57:44 +0100 Subject: [PATCH] Allow customize http vhost config using HttpdCustomization.CustomConfigSecret This change allows to customize the httpd vhost config using this parameter to specify a secret that contains service config data. The content of each provided snippet gets rendered as a go template and placed into /etc/httpd/conf/httpd_custom__ . At the end of the vhost config in the default httpd template these custom configs get included using `Include conf/httpd_custom__*`. For information on how sections in httpd configuration get merged, check section "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging All possible parameters which can be use in a template can be looked up in the -config-data secret of the service like: $ oc get secret -n openstack keystone-config-data -o json | jq -r .data.templatingParameters | base64 -d or in the running pod of the service in the file: $ cat /var/lib/config-data/default/templatingParameters The content is a versioned dump of the parameters of the service operator, like: ~~~ DatabaseConnection: mysql+pymysql://user:pwd@openstack.openstack.svc/keystone?read_default_file=/etc/my.cnf KeystoneEndpointInternal: https://keystone-internal.openstack.svc:5000 KeystoneEndpointPublic: https://keystone-public-openstack.apps-crc.testing ProcessNumber: 3 TransportURL: rabbit://user:pwd@rabbitmq.openstack.svc:5671/?ssl=1 VHosts: internal: Override: false SSLCertificateFile: /etc/pki/tls/certs/internal.crt SSLCertificateKeyFile: /etc/pki/tls/private/internal.key ServerName: keystone-internal.openstack.svc TLS: true public: Override: false SSLCertificateFile: /etc/pki/tls/certs/public.crt SSLCertificateKeyFile: /etc/pki/tls/private/public.key ServerName: keystone-public.openstack.svc TLS: true EnableSecureRBAC: true FernetMaxActiveKeys: 5 MemcachedServers: memcached-0.memcached.openstack.svc:11212 MemcachedServersWithInet: inet:[memcached-0.memcached.openstack.svc]:11211 MemcachedTLS: true ~~~ Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/591 Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/593 Jira: https://issues.redhat.com/browse/OSPRH-13100 Signed-off-by: Martin Schuppert --- .../keystone.openstack.org_keystoneapis.yaml | 10 +++ api/go.mod | 2 +- api/go.sum | 4 +- api/v1beta1/keystoneapi_types.go | 10 +++ api/v1beta1/zz_generated.deepcopy.go | 5 ++ .../keystone.openstack.org_keystoneapis.yaml | 10 +++ controllers/keystoneapi_controller.go | 78 +++++++++++++++---- go.mod | 2 +- go.sum | 4 +- templates/keystoneapi/config/httpd.conf | 5 ++ .../config/keystone-api-config.json | 11 ++- templates/keystoneapi/config/keystone.conf | 14 ++-- .../functional/keystoneapi_controller_test.go | 71 +++++++++++++++++ 13 files changed, 194 insertions(+), 32 deletions(-) diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml index d5becf78..dad321ef 100644 --- a/api/bases/keystone.openstack.org_keystoneapis.yaml +++ b/api/bases/keystone.openstack.org_keystoneapis.yaml @@ -115,6 +115,16 @@ spec: httpdCustomization: description: HttpdCustomization - customize the httpd service properties: + customConfigSecret: + description: |- + CustomConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string processNumber: default: 3 description: ProcessNumber - Number of processes running in keystone diff --git a/api/go.mod b/api/go.mod index ec8cdab9..994a8355 100644 --- a/api/go.mod +++ b/api/go.mod @@ -7,7 +7,7 @@ require ( github.com/google/uuid v1.6.0 github.com/gophercloud/gophercloud v1.14.1 github.com/onsi/gomega v1.34.1 - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 diff --git a/api/go.sum b/api/go.sum index d34a372c..0101270f 100644 --- a/api/go.sum +++ b/api/go.sum @@ -80,8 +80,8 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6Beb1gQ96Ptej9AE/BvwCBiRj1E= github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 h1:vXHpH93PjbAgg5ZN6n5WmxkybVQOs0nhXvVw62o7aZs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e h1:HFo4OqPY0x4ZQeaWI2YGonTXAGTQFt+rOEJlfZVhS7s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:IASoGvp5QM/tBJUd/8i8uIjj4DBnI+64Ydh4r7pmnvA= github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e h1:/iWDp3j+ET3gE5IjKHtdZaPd4SQyLHB/4L5jB16cV3I= diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go index 0be3e508..fcd2d94b 100644 --- a/api/v1beta1/keystoneapi_types.go +++ b/api/v1beta1/keystoneapi_types.go @@ -217,6 +217,16 @@ type HttpdCustomization struct { // +kubebuilder:validation:Minimum=1 // ProcessNumber - Number of processes running in keystone API ProcessNumber *int32 `json:"processNumber"` + + // +kubebuilder:validation:Optional + // CustomConfigSecret - customize the httpd vhost config using this parameter to specify + // a secret that contains service config data. The content of each provided snippet gets + // rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + // In the default httpd template at the end of the vhost those custom configs get + // included using `Include conf/httpd_custom__*`. + // For information on how sections in httpd configuration get merged, check section + // "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + CustomConfigSecret *string `json:"customConfigSecret,omitempty"` } // KeystoneAPIStatus defines the observed state of KeystoneAPI diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 6f1a04b2..acc0d406 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -56,6 +56,11 @@ func (in *HttpdCustomization) DeepCopyInto(out *HttpdCustomization) { *out = new(int32) **out = **in } + if in.CustomConfigSecret != nil { + in, out := &in.CustomConfigSecret, &out.CustomConfigSecret + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HttpdCustomization. diff --git a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml index d5becf78..dad321ef 100644 --- a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml +++ b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml @@ -115,6 +115,16 @@ spec: httpdCustomization: description: HttpdCustomization - customize the httpd service properties: + customConfigSecret: + description: |- + CustomConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string processNumber: default: 3 description: ProcessNumber - Number of processes running in keystone diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go index 60b2c8b7..5b0a9526 100644 --- a/controllers/keystoneapi_controller.go +++ b/controllers/keystoneapi_controller.go @@ -233,10 +233,11 @@ func (r *KeystoneAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request) // fields to index to reconcile when change const ( - passwordSecretField = ".spec.secret" - caBundleSecretNameField = ".spec.tls.caBundleSecretName" - tlsAPIInternalField = ".spec.tls.api.internal.secretName" - tlsAPIPublicField = ".spec.tls.api.public.secretName" + passwordSecretField = ".spec.secret" + caBundleSecretNameField = ".spec.tls.caBundleSecretName" + tlsAPIInternalField = ".spec.tls.api.internal.secretName" + tlsAPIPublicField = ".spec.tls.api.public.secretName" + httpdCustomServiceConfigSecretField = ".spec.httpdCustomization.customServiceConfigSecret" ) var allWatchFields = []string{ @@ -244,6 +245,7 @@ var allWatchFields = []string{ caBundleSecretNameField, tlsAPIInternalField, tlsAPIPublicField, + httpdCustomServiceConfigSecretField, } // SetupWithManager - @@ -298,6 +300,18 @@ func (r *KeystoneAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl.M return err } + // index httpdOverrideSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &keystonev1.KeystoneAPI{}, httpdCustomServiceConfigSecretField, func(rawObj client.Object) []string { + // Extract the secret name from the spec, if one is provided + cr := rawObj.(*keystonev1.KeystoneAPI) + if cr.Spec.HttpdCustomization.CustomConfigSecret == nil { + return nil + } + return []string{*cr.Spec.HttpdCustomization.CustomConfigSecret} + }); err != nil { + return err + } + memcachedFn := func(ctx context.Context, o client.Object) []reconcile.Request { result := []reconcile.Request{} @@ -1186,9 +1200,9 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( dbSecret := db.GetSecret() templateParameters := map[string]interface{}{ - "memcachedServers": mc.GetMemcachedServerListString(), - "memcachedServersWithInet": mc.GetMemcachedServerListWithInetString(), - "memcachedTLS": mc.GetMemcachedTLSSupport(), + "MemcachedServers": mc.GetMemcachedServerListString(), + "MemcachedServersWithInet": mc.GetMemcachedServerListWithInetString(), + "MemcachedTLS": mc.GetMemcachedTLSSupport(), "TransportURL": string(transportURLSecret.Data["transport_url"]), "DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf", databaseAccount.Spec.UserName, @@ -1197,11 +1211,23 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( keystone.DatabaseName, ), "ProcessNumber": instance.Spec.HttpdCustomization.ProcessNumber, - "enableSecureRBAC": instance.Spec.EnableSecureRBAC, - "fernetMaxActiveKeys": instance.Spec.FernetMaxActiveKeys, + "EnableSecureRBAC": instance.Spec.EnableSecureRBAC, + "FernetMaxActiveKeys": instance.Spec.FernetMaxActiveKeys, + } + + templateParameters["KeystoneEndpointPublic"], _ = instance.GetEndpoint(endpoint.EndpointPublic) + templateParameters["KeystoneEndpointInternal"], _ = instance.GetEndpoint(endpoint.EndpointInternal) + + httpdOverrideSecret := &corev1.Secret{} + if instance.Spec.HttpdCustomization.CustomConfigSecret != nil && *instance.Spec.HttpdCustomization.CustomConfigSecret != "" { + httpdOverrideSecret, _, err = oko_secret.GetSecret(ctx, h, *instance.Spec.HttpdCustomization.CustomConfigSecret, instance.Namespace) + if err != nil { + return err + } } // create httpd vhost template parameters + customTemplates := map[string]string{} httpdVhostConfig := map[string]interface{}{} for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} { endptConfig := map[string]interface{}{} @@ -1212,11 +1238,28 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String()) endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String()) } + + endptConfig["Override"] = false + if len(httpdOverrideSecret.Data) > 0 { + endptConfig["Override"] = true + for key, data := range httpdOverrideSecret.Data { + if len(data) > 0 { + customTemplates["httpd_custom_"+endpt.String()+"_"+key] = string(data) + } + } + } httpdVhostConfig[endpt.String()] = endptConfig } templateParameters["VHosts"] = httpdVhostConfig templateParameters["TimeOut"] = instance.Spec.APITimeout + // Marshal the templateParameters map to YAML + yamlData, err := yaml.Marshal(templateParameters) + if err != nil { + return fmt.Errorf("Error marshalling to YAML: %w", err) + } + customData[common.TemplateParameters] = string(yamlData) + tmpl := []util.Template{ // Scripts { @@ -1228,13 +1271,14 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( }, // Configs { - Name: fmt.Sprintf("%s-config-data", instance.Name), - Namespace: instance.Namespace, - Type: util.TemplateTypeConfig, - InstanceType: instance.Kind, - CustomData: customData, - ConfigOptions: templateParameters, - Labels: cmLabels, + Name: fmt.Sprintf("%s-config-data", instance.Name), + Namespace: instance.Namespace, + Type: util.TemplateTypeConfig, + InstanceType: instance.Kind, + StringTemplate: customTemplates, + CustomData: customData, + ConfigOptions: templateParameters, + Labels: cmLabels, }, } return oko_secret.EnsureSecrets(ctx, h, instance, tmpl, envVars) @@ -1294,7 +1338,7 @@ func (r *KeystoneAPIReconciler) reconcileCloudConfig( Name: instance.Spec.Secret, Namespace: instance.Namespace, }, - Type: "Opaque", + Type: corev1.SecretTypeOpaque, } err = r.Client.Get(ctx, types.NamespacedName{Name: keystoneSecret.Name, Namespace: instance.Namespace}, keystoneSecret) diff --git a/go.mod b/go.mod index 7008c8f8..8a465ded 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/onsi/gomega v1.34.1 github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241217075239-1fc4566cc5ab github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240213125925-e40975f3db7e - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0 diff --git a/go.sum b/go.sum index 9270d6c7..aeb86209 100644 --- a/go.sum +++ b/go.sum @@ -80,8 +80,8 @@ github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241217075239-1fc4566cc5ab h1:Pm9zQyhrs/zGAk9jvyt0hSBP28aHsFdWyI99M/lvFxU= github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241217075239-1fc4566cc5ab/go.mod h1:SSYBbFbgQbOwyY2cQNet7fSdQHHPb2rLo6GXE97Awp8= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 h1:vXHpH93PjbAgg5ZN6n5WmxkybVQOs0nhXvVw62o7aZs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e h1:HFo4OqPY0x4ZQeaWI2YGonTXAGTQFt+rOEJlfZVhS7s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:IASoGvp5QM/tBJUd/8i8uIjj4DBnI+64Ydh4r7pmnvA= github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e h1:/iWDp3j+ET3gE5IjKHtdZaPd4SQyLHB/4L5jB16cV3I= diff --git a/templates/keystoneapi/config/httpd.conf b/templates/keystoneapi/config/httpd.conf index 8a023700..be1e20df 100644 --- a/templates/keystoneapi/config/httpd.conf +++ b/templates/keystoneapi/config/httpd.conf @@ -58,5 +58,10 @@ CustomLog /dev/stdout proxy env=forwarded WSGIProcessGroup {{ $endpt }} WSGIScriptAlias / "/usr/bin/keystone-wsgi-public" WSGIPassAuthorization On + +{{- if $vhost.Override }} + Include conf/httpd_custom_{{ $endpt }}_* +{{- end }} + {{ end }} diff --git a/templates/keystoneapi/config/keystone-api-config.json b/templates/keystoneapi/config/keystone-api-config.json index 8b255455..5d4b3ede 100644 --- a/templates/keystoneapi/config/keystone-api-config.json +++ b/templates/keystoneapi/config/keystone-api-config.json @@ -16,13 +16,13 @@ { "source": "/var/lib/config-data/default/httpd.conf", "dest": "/etc/httpd/conf/httpd.conf", - "owner": "root", + "owner": "apache", "perm": "0644" }, { "source": "/var/lib/config-data/default/ssl.conf", "dest": "/etc/httpd/conf.d/ssl.conf", - "owner": "root", + "owner": "apache", "perm": "0644" }, { @@ -58,6 +58,13 @@ "dest": "/etc/my.cnf", "owner": "keystone", "perm": "0644" + }, + { + "source": "/var/lib/config-data/default/httpd_custom_*", + "dest": "/etc/httpd/conf/", + "owner": "apache", + "perm": "0444", + "optional": true } ] } diff --git a/templates/keystoneapi/config/keystone.conf b/templates/keystoneapi/config/keystone.conf index f2a2165b..0023a16f 100644 --- a/templates/keystoneapi/config/keystone.conf +++ b/templates/keystoneapi/config/keystone.conf @@ -2,15 +2,15 @@ use_stderr=true [cache] -{{if .memcachedTLS}} +{{if .MemcachedTLS}} backend = dogpile.cache.pymemcache -memcache_servers={{ .memcachedServers }} +memcache_servers={{ .MemcachedServers }} {{else}} backend = dogpile.cache.memcached -memcache_servers={{ .memcachedServersWithInet }} +memcache_servers={{ .MemcachedServersWithInet }} {{end}} enabled=true -tls_enabled={{ .memcachedTLS }} +tls_enabled={{ .MemcachedTLS }} [database] max_retries=-1 @@ -18,12 +18,12 @@ db_max_retries=-1 connection={{ .DatabaseConnection }} [oslo_policy] -enforce_new_defaults = {{ .enableSecureRBAC }} -enforce_scope = {{ .enableSecureRBAC }} +enforce_new_defaults = {{ .EnableSecureRBAC }} +enforce_scope = {{ .EnableSecureRBAC }} [fernet_tokens] key_repository=/etc/keystone/fernet-keys -max_active_keys={{ .fernetMaxActiveKeys }} +max_active_keys={{ .FernetMaxActiveKeys }} {{ if (index . "TransportURL") }} [oslo_messaging_notifications] diff --git a/tests/functional/keystoneapi_controller_test.go b/tests/functional/keystoneapi_controller_test.go index a9d9f8ca..4febddfc 100644 --- a/tests/functional/keystoneapi_controller_test.go +++ b/tests/functional/keystoneapi_controller_test.go @@ -27,6 +27,7 @@ import ( . "github.com/onsi/gomega" //revive:disable:dot-imports //revive:disable-next-line:dot-imports + "github.com/openstack-k8s-operators/lib-common/modules/common" . "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers" memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1" @@ -1568,6 +1569,76 @@ var _ = Describe("Keystone controller", func() { }) }) + When("A KeystoneAPI is created with HttpdCustomization.OverrideSecret", func() { + BeforeEach(func() { + customServiceConfigSecretName := types.NamespacedName{Name: "foo", Namespace: namespace} + customConfig := []byte(`OIDCResponseType "id_token" +OIDCMemCacheServers "{{ .MemcachedServers }}" +OIDCRedirectURI "{{ .KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/websso/openid"`) + th.CreateSecret( + customServiceConfigSecretName, + map[string][]byte{ + "bar.conf": customConfig, + }, + ) + + spec := GetDefaultKeystoneAPISpec() + spec["httpdCustomization"] = map[string]interface{}{ + "customConfigSecret": customServiceConfigSecretName.Name, + } + + DeferCleanup( + k8sClient.Delete, ctx, CreateKeystoneMessageBusSecret(namespace, "rabbitmq-secret")) + keystone := CreateKeystoneAPI(keystoneAPIName, spec) + DeferCleanup(th.DeleteInstance, keystone) + DeferCleanup( + k8sClient.Delete, ctx, CreateKeystoneAPISecret(namespace, SecretName)) + DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec)) + DeferCleanup( + mariadb.DeleteDBService, + mariadb.CreateDBService( + namespace, + GetKeystoneAPI(keystoneAPIName).Spec.DatabaseInstance, + corev1.ServiceSpec{ + Ports: []corev1.ServicePort{{Port: 3306}}, + }, + ), + ) + mariadb.SimulateMariaDBAccountCompleted(keystoneAccountName) + mariadb.SimulateMariaDBDatabaseCompleted(keystoneDatabaseName) + infra.SimulateTransportURLReady(types.NamespacedName{ + Name: fmt.Sprintf("%s-keystone-transport", keystoneAPIName.Name), + Namespace: namespace, + }) + infra.SimulateMemcachedReady(types.NamespacedName{ + Name: "memcached", + Namespace: namespace, + }) + th.SimulateJobSuccess(dbSyncJobName) + th.SimulateJobSuccess(bootstrapJobName) + th.SimulateDeploymentReplicaReady(deploymentName) + }) + + It("it renders the custom template and adds it to the keystone-config-data secret", func() { + scrt := th.GetSecret(keystoneAPIConfigDataName) + Expect(scrt).ShouldNot(BeNil()) + Expect(scrt.Data).Should(HaveKey(common.TemplateParameters)) + configData := string(scrt.Data[common.TemplateParameters]) + memcachedServers := fmt.Sprintf("memcached-0.memcached.%s.svc:11211,memcached-1.memcached.%s.svc:11211,memcached-2.memcached.%s.svc:11211", + namespace, namespace, namespace) + Expect(configData).Should(ContainSubstring(fmt.Sprintf("MemcachedServers: %s", memcachedServers))) + + for _, cfg := range []string{"httpd_custom_internal_bar.conf", "httpd_custom_public_bar.conf"} { + Expect(scrt.Data).Should(HaveKey(cfg)) + configData := string(scrt.Data[cfg]) + Expect(configData).Should(ContainSubstring("OIDCResponseType \"id_token\"")) + Expect(configData).Should(ContainSubstring(fmt.Sprintf("OIDCMemCacheServers \"%s\"", memcachedServers))) + Expect(configData).Should(ContainSubstring( + fmt.Sprintf("OIDCRedirectURI \"http://keystone-public.%s.svc:5000/v3/auth/OS-FEDERATION/websso/openid\"", namespace))) + } + }) + }) + // Run MariaDBAccount suite tests. these are pre-packaged ginkgo tests // that exercise standard account create / update patterns that should be // common to all controllers that ensure MariaDBAccount CRs.